Installing DNS plugins

Certbot's DNS plugins are available for your system. These
plugins can be used to automate obtaining a wildcard certificate from Let's
Encrypt's ACMEv2 server. To use one of these plugins, you must have configured
DNS for the domain you want to obtain a certificate for with a DNS provider
that Certbot has a plugin for. A list of these plugins and more information
about using them can be found here.
To install one of these plugins, run the installation command above but replace
certbot python2-certbot-nginx with python2-certbot-dns-PLUGIN, where PLUGIN
is the name of the plugin you want to install. For instance, for the RFC2136
plugin this would be python2-certbot-dns-rfc2136.

Get Started

Certbot has an Nginx plugin, which is supported on
many platforms, and automates certificate installation.

$ sudo certbot --nginx

Running this command will get a certificate for you and have Certbot edit your Nginx configuration
automatically to serve it. If you're feeling more conservative and would like to make the changes to your
Nginx configuration by hand, you can use the certonly
subcommand:

$ sudo certbot --nginx certonly

If you want to obtain a wildcard certificate using Let's Encrypt's new ACMEv2
server, you'll also need to use one of
Certbot's DNS plugins. To do this,
make sure the plugin for your DNS provider is installed using the instructions
above and run a command like the following:

You'll need to replace dns-plugin with the name of the DNS plugin
you want to use. You may also need to provide additional flags such as the path
your API credentials as described in the documentation for the DNS plugin
linked above.

Automating renewal

Certbot can be configured to
renew your certificates automatically before they expire. Since Let's Encrypt
certificates last for 90 days, it's highly advisable to take advantage of this
feature. You can test automatic renewal for your certificates by running this
command:

$ sudo certbot renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal
by adding a cron job or systemd timer which runs the
following:

certbot renew

Note:

if you're setting up a cron or systemd job, we
recommend running it twice per day (it won't do anything until your
certificates are due for renewal or revoked, but running it regularly would
give your site a chance of staying online in case a Let's Encrypt-initiated
revocation happened for some reason). Please select a random minute within the
hour for your renewal tasks.

An example cron job might look like this, which will run at noon and midnight every day:

Installing DNS plugins

Certbot's DNS plugins are available for your system. These
plugins can be used to automate obtaining a wildcard certificate from Let's
Encrypt's ACMEv2 server. To use one of these plugins, you must have configured
DNS for the domain you want to obtain a certificate for with a DNS provider
that Certbot has a plugin for. A list of these plugins and more information
about using them can be found here.
To install one of these plugins, run the installation command above but replace
certbot python2-certbot-nginx with python2-certbot-dns-PLUGIN, where PLUGIN
is the name of the plugin you want to install. For instance, for the RFC2136
plugin this would be python2-certbot-dns-rfc2136.

Get Started

Certbot has an Nginx plugin, which is supported on
many platforms, and automates certificate installation.

$ sudo certbot --nginx

Running this command will get a certificate for you and have Certbot edit your Nginx configuration
automatically to serve it. If you're feeling more conservative and would like to make the changes to your
Nginx configuration by hand, you can use the certonly
subcommand:

$ sudo certbot --nginx certonly

Note:

the Nginx plugin with certonly does the following:

make temporary config changes
(adding a new server block to pass an ACME Challenge)

performs a graceful reload

reverts all changes

performs another graceful reload

This appears to be a reliable process, but if you don't want Certbot
to touch your Nginx process or files in any way, you can use the
webroot
plugin instead.

If you want to obtain a wildcard certificate using Let's Encrypt's new ACMEv2
server, you'll also need to use one of
Certbot's DNS plugins. To do this,
make sure the plugin for your DNS provider is installed using the instructions
above and run a command like the following:

You'll need to replace dns-plugin with the name of the DNS plugin
you want to use. You may also need to provide additional flags such as the path
your API credentials as described in the documentation for the DNS plugin
linked above.

Automating renewal

Certbot can be configured to
renew your certificates automatically before they expire. Since Let's Encrypt
certificates last for 90 days, it's highly advisable to take advantage of this
feature. You can test automatic renewal for your certificates by running this
command:

$ sudo certbot renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal
by adding a cron job or systemd timer which runs the
following:

certbot renew

Note:

if you're setting up a cron or systemd job, we
recommend running it twice per day (it won't do anything until your
certificates are due for renewal or revoked, but running it regularly would
give your site a chance of staying online in case a Let's Encrypt-initiated
revocation happened for some reason). Please select a random minute within the
hour for your renewal tasks.

An example cron job might look like this, which will run at noon and midnight every day: